Myths and realities of data security and compliance - Isaca Alanta - ulf mattsson jul 22 2016

11

Myths & Realities of Data Security & Compliance: Risk-based Data Protection

Ulf Mattsson, Chief Technology Officer, Compliance [email protected]

www.complianceengineers.com

2

Ulf Mattsson

Inventor of more than 25 US Patents

Industry InvolvementPCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs

IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security

CSA - Cloud Security Alliance

ANSI - American National Standards Institute• ANSI X9 Tokenization Work Group

NIST - National Institute of Standards and Technology• NIST Big Data Working Group

User Groups• Security: ISACA & ISSA

• Databases: IBM & Oracle

3

My work with PCI DSS Standards

Payment Card Industry Security Standards Council (PCI SSC)

1. PCI SSC Tokenization Task Force

2. PCI SSC Encryption Task Force

3. PCI SSC Point to Point Encryption Task Force

4. PCI SSC Risk Assessment SIG

5. PCI SSC eCommerce SIG

6. PCI SSC Cloud SIG

7. PCI SSC Virtualization SIG

8. PCI SSC Pre-Authorization SIG

9. PCI SSC Scoping SIG Working Group

10. PCI SSC 2013 – 2014 Tokenization Task Force

44

5

6

• The Dilemma for CISO, CIO, CFO, CEO, and Board • Where are my most valuable data asset?

• Who Has Access to it?

• Is it Secure?

• Insider/External Threats?

• Am I Compliant?

• What is/has been the Financial Cost?

• Am I Adhering to Best Practices? How Do I Compare to My Peers?

• Can I Automate the Lifecycle of Data Security?

The Security & Compliance Issue

7

8

9

Not Knowing Where Sensitive

Data Is

10

Not Knowing Where Sensitive Data Is

Source: The State of Data Security Intelligence, Ponemon Institute, 2015

11

12

PCI-DSS and Beyond

13

Are You Ready for the

New Requirements of PCI-DSS V3.2?

14

Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage

Discovery Results Supporting Compliance1. Limiting data storage amount and retention time to that which is required

for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored

cardholder data that exceeds defined retention.

Old PCI DSS Requirement 3.1

15

• PCI DSS v2 did not have data flow in the 12

requirements, but mentioned it in “Scope of

Assessment for Compliance with PCI DSS

Requirements.”

• PCI DSS v3.1 added data flow into a requirement.

• PCI DSS v3.2 added data discovery into a requirement.

New PCI DSS 3.2 Standard – Data Discovery

Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers

1616

Example of A Discovery

Process

Scoping

Asset Classification

Job Scan Definition

Scanning

Analysis

Reporting

Remediation

PCI DSS 3.2 Requirement - Discovery

17

• IT risk and security leaders must move from trying to prevent

every threat and acknowledge that perfect protection is not

achievable.

• Organizations need to detect and respond to malicious

behaviors and incidents, because even the best preventative

controls will not prevent all incidents.

• By 2020, 60% of enterprise information security budgets will

be allocated for rapid detection and response approaches, up

from less than 20% in 2015.

Shift in Cybersecurity Investment

Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016

18

Growing Information Security Outsourcing

The information security market is estimated to have

grown 13.9% in revenue in 2015

with the IT security outsourcing segment

recording the fastest growth (25%).

Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update

19

HybridData Discovery

Example

20

Discovery Deployment Example

Example of Customer Provisioning:• Virtual host to load Software or Appliance• User ID with “Read Only” Access• Firewall Access

ApplianceDiscoveryAdmin

21

Example - Discovery Scanning Job Status List

22

STEP 4:The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface

Discovery Process (Step 4) – Scanning Job Lists

Discover all sensitive PII – Not just PCI data

23

Discovery Scanning Report

Discover All Sensitive PII – Not just PCI data

Database Schema Table Column Type Hits ConfidenceRows

ScannedTotal Rows Hit %

Scanned %

actrs10-rs10prd ITMBK_BARB ITMBK_BARB.STAFF SSN ssn 5356 4 9481 9481 56.49% 100.00%actrs11-rs11prd AAPR AAPR.REG_AAP SSN ssn 12 4 12 12 100.00% 100.00%actrs11-rs11prd AAPTIR AAPTIR.APPLICANT SSN ssn 3 4 3 3 100.00% 100.00%actrs11-rs11prd BENESSE BENESSE.TRAIN SSN s-s-n 21 5 21 21 100.00% 100.00%actrs11-rs11prd CAAPPROD CAAPPROD.PN55650683 SSN ssn 58 4 58 58 100.00% 100.00%actrs11-rs11prd COMP COMP.AAPTIR SPEC_CDE ssn 4 1 4 4 100.00% 100.00%actrs11-rs11prd COMP COMP.AAPTIR SSN ssn 4 4 4 4 100.00% 100.00%actrs11-rs11prd FOOBAR1 FOOBAR1.SCORE SSN s-s-n 7 5 7 7 100.00% 100.00%actrs11-rs11prd INS INS.MSTEMP ANUMBER ssn 155 1 155 155 100.00% 100.00%

24

On Premise Data Discovery

Example

25

Example of On Premise Solution Scan

26

Example of On Premise Discovery Asset Management

27

28

FS-ISAC* Summit about

“Know Your Data”

*: FS-ISAC is the leading ISAC in the security area

29

FS-ISAC Summit about “Know Your Data”• Encryption at rest has become the new norm

• However, that’s not sufficient

• Visibility into how and where it flows during the course

of normal business is critical

Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit

30

Risk &Remediation

31

Know Your Data – Identify High Risk Data

Begin by determining the risk profile of all relevant data collected and stored

• Data that is resalable for a profit • Value of the information to your organization • Anticipated cost of its exposure

Data Field Risk LevelCredit Card Number 25

Social Security Number 20CVV 20

Customer Name 12Secret Formula 10

Employee Name 9Employee Health Record 6

Zip Code 3

32

Match Data Protection Solutions with Risk Level

Risk Level Solution

Monitor

Monitor, mask, access control limits, format control encryption

Tokenization, strong encryption

Low Risk (1-5)

At Risk (6-15)

High Risk (16-25)

Data Field

Risk Level

Credit Card Number 25Social Security Number 20

CVV 20Customer Name 12Secret Formula 10

Employee Name 9Employee Health Record 6

Zip Code 3

Deploy Defenses

33

Different Data Security

Methods

34

Memory Tokenization

Type Preserving Encryption

Strong Encryption

inDatabases

2016 -

2010 -

2008 -

2004 -

2002 -

2000 -

1998 -

Platform

Masking

Feature

Securing Sensitive Data - Examples

35

Time

Total Cost of Ownership

Strong Encryption: 3DES, AES …

I2010

I1970

How did Data Security Evolve 1970 - 2010?

I2005

I2000

Type Preserving Encryption: FPE, DTP …

Tokenization in Memory

High -

Low -

36

Legend: Best

Worst

Choose Your Defenses – Strengths & Weakness

37

Compliance

38

NIST - Increasing Relevance

Crypto Modules

PCI DSSPayment Card Industry Data Security Standard

Hardware & Software Security Modules

NIST Federal Information Processing Standard FIPS 140

NIST Special Publication 800-57

AESAdvanced Encryption Standard

NIST U.S. FIPS PUB 197

FPEFormat Preserving Encryption

NIST Special Publication 800-38G

HIPAA

HIPAA/HITECH/BREACH-NOTIFICATION

NIST SP 800-111

39

FPE Gets NIST Stamp of Approval

40

Need for Masking Standards

Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory.

There are no widely accepted standards for testing the effectiveness of a de-identification process or gauging the utility lost as a result ofde-identification.

41

Defines Tokenization Security Requirements

42

Type of Data

Use Case

IStructured

How Should I Secure Different Data?

IUn-structured

Simple -

Complex -

PCI

PHI

PII

FileEncryption

CardHolder

Data

FieldTokenization / Encryption

ProtectedHealth

Information

42

Personally Identifiable Information

43

Data Location is Important

44

NW

DMZ

Web Apps

TRUSTED SEGMENT

Server

Inte

rnet Load

Balancing

ProxyFW

ProxyFW

EnterpriseApps

NetworkDevices

Server

SAN,NAS,Tape

InternalUsers

DB Server

ProxyFW

TRANSACTIONS

IDS/IPS

End-point

Wire-less

DBA ATTACK

MALWARE /TROJAN

OS ADMINFILE ATTACK

SQL INJECTION

MEDIA ATTACK

SNIFFER ATTACK

Data Attacks on the Enterprise Data Flow

45

Common Vulnerabilities in E-Commerce

Source: Verifone

46

Data Exposed in Cloud & Big Data

Do we know our sensitive

data?

Big Data

PublicCloud

47

Encryption Usage - Mature vs. Immature Companies

Source: Ponemon - Encryption Application Trends Study • June 2016

Less

use

of e

ncry

ptio

n

PublicCloud

48

• Rather than making the protection platform based, the security

is applied directly to the data, protecting it wherever it goes,

in any environment

• Cloud environments by nature have more access points and

cannot be disconnected

• Data-centric protection reduces the reliance on controlling the

high number of access points

Data-Centric Protection Increases Security

49

Protect Sensitive Cloud Data - Example

Internal Network

Administrator

Attacker

Remote User

Internal

User

Cloud Gateway

Public Cloud

Each sensitive field is protectedEach

authorized field is in clear

Each sensitive field is protected

Data encryption, tokenization or masking of fields or files (at transit and rest)

50

Cloud Providers Not Becoming Security Vendors

• There is great demand for security providers that can offer

orchestration of security policy and controls that span not just

multicloud environments but also extend to on-premises

infrastructure

• Customers are starting to realize that the responsibility for mitigating

risks associated with user behavior lies with them and not the

CSP — driving them to evaluate a strategy that allows for incident

detection, response and remediation capabilities in cloud

environments

Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016

51

Encryption Usage - Mature vs. Immature Companies

Source: Ponemon - Encryption Application Trends Study • June 2016

Less

use

of e

ncry

ptio

n

Big Data

52

Attacking Big Data

HDFS (Hadoop Distributed File System)

Pig (Data Flow) Hive (SQL) Sqoop

ETL Tools BI Reporting RDBMS

MapReduce (Job Scheduling/Execution System)

OS File System

Big Data

53

Securing Big Data - Examples

• Volume encryption in Hadoop• Hbase, Pig, Hive, Flume and Scope using protection

API• MapReduce using protection API• File and folder encryption in HDFS• Export de-identified data

Import de-identified data

Export identifiable data

Export audit for reporting

Data protection

at database,

application, file

Or in a staging area

HDFS (Hadoop Distributed File System)

Pig (Data Flow) Hive (SQL) Sqoop

ETL Tools BI Reporting RDBMS

MapReduce (Job Scheduling/Execution System)

OS File System

Big Data

Data encryption, tokenization or masking of fields or files (at transit and rest)

54

Topology Performance Scalability Security

Local Service

Remote Service

Data Protection Implementation Layers

System Layer Performance Transparency Security

Application

Database

File System

Legend: Best

Worst

55

Are Your Deployed

Security Controls Failing?

56

57

PCI DSS 3.2 – Security Control Failures

PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to

detect and report on failures of critical security control systems.

PCI Security Standards Council CTO Troy Leach explained

• “without formal processes to detect and alert to critical security control

failures as soon as possible, the window of time grows that allows

attackers to identify a way to compromise the systems and steal

sensitive data from the cardholder data environment.”

• “While this is a new requirement only for service providers, we encourage

all organizations to evaluate the merit of this control for their unique

environment and adopt as good security hygiene.”

58

Example - Report on Failures of Critical Security controls

API

MTSS

ManagementEnvironment

59

Managed Tools Security Services - Example

60

MSSP - Managed Security Service Provider

• SOC – Security Operations Center

• Security monitoring• Firewall integration /

management• Vulnerability scanning• SIEM - Security Incident &

Event Monitoring and management

MTSS - Managed Tool Security Service

• Professional Services that applies best practices & expert analysis of your security tools

• Customized alarms and reports through SaaS

• Provides overall security tools management and monitoring

• Ticketing, Resolution & Reporting• Ensure availability of security

tools• License analysis

Examples of Security Outsourcing Models

WHO IS MONITORING YOUR MSSP?

61

Benefits of Managed Tool Security Service

Security controls in place and functioning.Prepared to address information security when it becomes a Boardroom Issue

Visibility to measure ROIConfidence in reduced risk of data loss, damaged share price, stolen IP, etc.

Ability to produce a positive return on capital investments in tools.Cost reduction in (people, licenses, maintenance, etc.)Reduced risk of breach and associated costs (financial, reputational, regulatory losses)

CIOCTOCISO

62

I think it is Time to Re-think

CONFIDENTIAL 62

63

6464

About Compliance Engineering

65

SOCTools

24/7 Eyes on Glass (EoG) monitoring,

Security Operations

Center (SOC)

Managed Tools Security

Service

Software as a Service (SaaS) data discovery solution

Security Tools and Integrated Services

Discovery

Security Tools and

Integrated Services

66

Compliance Assessments

• PCI DSS & PA Gap• HIPAA (2013

HITECH)• SSAE 16-SOC 2&3*• GLBA, SOX• FCRA, FISMA• SB 1385, ISO

27XXX• Security Posture

Assessments (based on industry best practices)

• BCP & DRP (SMB market)

Professional Security Services

• Security Architecture • Engineering/Operations• Staff Augmentation• Penetration Testing• Platform Baseline

Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows)

• IDM/IAM/PAM architecture

• SIEM design, operation and implementation

• eGRC Readiness & Deployment

E Security & Vendor Products

• Data Discovery• Managed Tools

Security Service• Data Loss

Protection • SIEM & Logging • Identity and Access

Management• EndPoint

Protection• Network Security

Devices• Encryption• Unified Threat• Multi-factor

Authentication

Managed Security Services

• MSSP/SOC • SIEM 365• Data Center

SOC• IDM/IAM

Security Administration

• Healthcare Infrastructure Solutions (2013 3rd Qtr.

• Vulnerability Scans

• Penetration Testing

Samples of Our Services

6767

Thank youUlf Mattsson, Chief Technology Officer, Compliance Engineering

[email protected]